3Phase 2 Plans 3.1Phase 2 Vision
The context for Phase 2 efforts is Dartmouth’s long range vision of extensive PKI integration into campus computing fabrics. PKI’s certificate based technology with flexible attributes capabilities provides an extensive, scaleable architecture for bringing authentication and authorization to an individual level. This opens up a whole new paradigm for personalizing network access and resource allocation that scales well beyond today’s traditional security schema.
Possible applications of PKI include:
-
PKI authentication for secured resources, including:
-
Wireless and wired network, access for desktop, public, portable, and handheld computing devices.
-
Digital Library resources.
-
Student information systems.
-
Administrative systems.
-
Email, instant messaging.
-
PKI-enabled new administrative processes:
-
Digital document signing to allow us to streamline administrative operations away from signed paper forms.
-
Web services for business process automation.
-
PKI-secured communications:
-
S/MIME email for all users.
-
SPAM free email lists.
-
Store personal email securely with encryption.
-
PKI-secured critical data with encryption:
-
Student medical information.
-
Sensitive research data.
-
Student academic records.
-
Sensitive HR data.
-
Financial data.
-
Admissions data.
-
PKI can become a personal electronic key plus college ID plus cyber security certificate, all in one consolidated device with embedded PKI technology.
In one possible future, students and staff carry a wireless handheld organizer/phone/browser device into which they plug their PKI-enabled ID card (and by so doing are authenticated to the wireless network). This combination can automatically authenticate the user via PKI to applications on the network with just the typing of a code for the session and a password into the handheld. Or they can plug the ID card directly into a client computer, library checkout reader, the lock on a door, a cafeteria checkout reader, etc. Depending on security requirements, these operations may or may not require a password to go along with the PKI authentication. In this same future, users supply keys for signing and encrypting email and electronic documents easily and conveniently with their wireless or direct-plug PKI capabilities. The essential ingredient here that PKI provides is a personal device with a unique and secure personal electronic key that users carry as an “all-in-one” key for all these purposes.
3.1.1Integration
In the original proposal, we envisioned intervals in which we would evaluate the work so far, and consider how ideas could cross over between the design and deployment teams.
The phase 1 work already reflected interaction between the teams: deployment application work drove research/design vulnerability analyses; research/design's work on trusted paths, WebALPS, and SSH have all been considered for deployment.
In the second phase, we plan for this interaction to continue and grow. We plan to integrate the S/MIME expertise of the development team and the hardened S/MIME gateway work; we plan to use the private credential server and the AXIS system as soon as they are ready; we plan to explore porting open-source tools onto trusted hardware; and we plan to use both research and deployment expertise in user and guest authorization for wireless networks.
Furthermore, in both phases, the user studies work and the research/design/deployment work are closely related.
3.1.2Phase 2 Themes
Phase 2 encompasses the following main themes:
-
Research and development
-
User studies
-
Local deployment
-
National deployment
-
Securing wireless networks
A prominent development in phase 2 is the emergence of securing wireless networks as a compelling application of PKI, both on and off campus.
Research and User Studies will continue existing projects and undertake new ones as planned. In Deployment, we will continue to develop PKI production knowledge and experience in the context of actual “real user” deployments at Dartmouth and at other schools.
On-campus deployment will take place in the following areas:
-
Securing our wireless network
-
Authentication and authorization for web applications:
-
Library journal applications
-
TuckStreams
-
Student admin system (Banner)
National outreach will proceed on multiple fronts with increasing emphasis placed on activities that get the best traction:
-
Web reference information
-
Web seminars
-
PKI summit hosted at Dartmouth
-
Public relations (press and analysts)
-
Test certificate authority
-
Presentations and papers
-
Tools and applications distributions
-
Open source CA and/or Turn-key HEI-PKI
-
Selected campus visits and direct phone/email consultation with IT leadership and technical staff deploying PKI at other HEIs
-
Partnership deployment projects with corporations and remote campuses
-
Influence on vendors as they improve PKI features in their products
3.2Deployment Team Plan Phase 2
Deployment team activities fall into the following main categories:
3.2.1Production Knowledge
For phase two, the PKI Lab team plans to continue the general PKI awareness activities already in progress and expand their scope. More importantly we need to undertake the next steps to foster the creation of PKI applications and infrastructure deployment at other Institutions of Higher Education. Our phase 1 outreach efforts indicate that the Dartmouth PKI installation and applications can currently solve problems faced by other HEIs. The next steps are the need for other successful production deployments and the perceived need for an environment in which an expanding circle of IT people can experiment on their own campuses.
The team will continue to document extensively the knowledge and experience we gain through our deployment activities. This documentation has already proven extremely valuable internally and to our early outreach partners. It will become even more valuable as we expand our national outreach scope.
PKI Applications Development
The deployment team will continue to work on PKI applications that Dartmouth is interested in pursuing. These include:
Complete and Adapt Design Team Projects
The design team has developed several applications and components that are worth extending, porting, generalizing, polishing, and distributing:
-
The WebAlps implementation of a secure web server.
-
The work done on an SSH Server seems to solve a common problem with applying SSH in general.
-
The research team’s methods for improving the trust characteristics of Mozilla
A key shared interest for the design and deployment teams is in developing Web based secure mail services. Because of the popularity of web based mail, a server based solution for S/MIME functionality would be very useful. Even a partial solution to this problem would be useful as a transition strategy for S/MIME usage as explained earlier in this report. Solutions in this space could be significant application drivers for PKI deployments at other institutions. S/MIME functionality provides assurance of the sender’s identity and can provide a way to highlight important communications in a rising tide of e-mail “noise” (for example from junk mailings and virus infection attempts). Encryption allows e-mail to move from a technology most analogous to “post cards” towards something more closely resembling “first class” mail.
3.2.2Local Deployment PKI Accessibility to General Users
The deployment team will support and enhance our production Dartmouth certificate authority and accompany registration system as they serve increasing numbers of users. Communications Services will continue to help improve and maintain our “Using PKI at Dartmouth” user web. We will continue to educate and assist our consulting team as PKI usage ramps up. We will probably need to develop a higher assurance PKI registration process for some of the applications under consideration.
Dartmouth’s general PKI infrastructure will evolve as our experience grows and as we incorporate findings from Research and User Studies. It will serve as a working example for our national outreach program.
Applications
We have selected authentication and authorization for web applications as our first area for “real user” application deployment. Specifically, we will deploy authentication and authorization for:
Project leaders in Dartmouth’s computing services, libraries and other departments need to take over the details of supporting PKI authentication in the production systems and their ongoing operation.
3.2.3National Deployment
The Outreach section (see 3.4) covers the details of national deployment, but it is important to acknowledge here that PKI lab deployment team staff will contribute to the national deployment effort and to the PKI lab’s outreach program in general. The team’s collective wisdom and assistance will be crucial to the success of the outreach work.
Share with your friends: |